Federal agencies have dropped the ball on data breaches: GAO

April 02, 2014|Reuters

WASHINGTON (Reuters) - Federal agencies have a spotty record of handling data breaches, which can include the theft of sensitive information such as Social Security numbers, financial data and health history, the investigative arm of the U.S. Congress said in a report on Wednesday.

The number of such incidents involving personal data increased to 25,566 last year from 10,481 in 2009, the Government Accountability Office said. That total included both cyber crime and non-cyber breaches.

Incidents have ranged from the highly publicized theft in 2006 of a laptop and external hard drive belonging to the Veterans Affairs Department that contained personal data on 26.5 million veterans and active duty members of the military, to the hacking of a Federal Aviation Administration computer that contained data on 45,000 agency employees and retirees.

"It is critical that federal agencies take steps to secure the information that they collect, retain, and disseminate and that, when events such as data breaches occur, they respond swiftly and appropriately," Gregory Wilshusen, the GAO's director of information security issues, said in remarks prepared for a congressional hearing on data breaches on Wednesday.

Of the seven agencies whose breaches were analyzed by the GAO, only the Internal Revenue Service consistently calculated how much personal information was at risk in the incidents, and only the IRS and the U.S. Army documented how many people may have been affected, the report said.

Only the Army and the Securities and Exchange Commission notified the people whose data may have been exposed.

Senators Tom Carper, a Democrat from Delaware, and Roy Blunt, a Missouri Republican, introduced a breach notification measure in January aimed at creating a single standard.

But consumer groups have warned that companies may be pressing for a federal standard in hopes that it would be weaker than many of the state laws.

California was the first state to adopt a data breach law in 2003 and it is among the toughest. It requires a detailed disclosure to consumers "in the most expedient time possible and without unreasonable delay" when personal information, including emails with passwords, is "reasonably believed" to have been stolen.